A security researcher (Matt Kunze), discovered that the Google Home smart speaker could be hacked and that hackers might use it to put a backdoor.
Threat actors could use this to monitor the user’s conversations and device, possibly even spying on their devices. They can also access the microphone feed remotely to control the speaker.
Matt was given $107,500 for his responsibility regarding on Google Home. The researcher also provided details on how to exploit the flaw and described an attack scenario that would demonstrate the flaw.
Google Home Smart speaker Flaw
The researcher was conducting an experiment with his Google Home mini speaker and discovered that it was possible to remotely send commands using the Google Home app, which uses the cloud API.
The Nmap scan tool was used by the researcher to determine if Google Home had any local HTTP API. In the hope of getting the authorization token for the user, the researcher set up proxy to capture .
The researcher found that there is a 2-step process to add new users to the device. It requires several components from the local API to do this. Here are their details:
- Name of the device
- Cloud ID
This information could be used to send a link request to Google’s server. The Python script automates the local device data. It also replicates the link request to add rogue users to the target Google Home devices.
The researcher has published 3 proofs of concept on to support the above actions. However, the latest firmware version for Google Home should not work with these devices.
If a rogue account has been associated with your target device, you can perform these actions through the Google Home speaker:
- Smart switches controlled
- Online shopping
- Remotely unlock doors
- Remote unlocking of vehicles
- For smart locks, brute-forcing users’ PIN
The researcher also discovered that an attacker can exploit the “call [phone number] command by adding code to the malicious routine.
This method allows the attacker to dial the number of the attacker and get a live audio feed via the microphone at a specific time.
The only sign that something is happening during a call is a blue LED. If the victim sees the blue LED, it is possible for them to assume the firmware has been updated.
The standard indicator that activates the microphone is using a pulse LED. However, this is not used while the call is ongoing.
Google Home Smart Speaker
Kunze discovered the issues in January 2021 and Google corrected them all by April that year. Because of the Google Play Services OAuth APIs it is impossible to patch and repackage the Google Home app. Root access is required to intercept and modify the traffic that Google Home sends and receives.
This patch introduces an invite-based system that handles account linking. Although you can still deauthenticate Google Home it is not possible to use this to create a new Google Account.
It is therefore impossible to get the API local that leaks basic device information.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.